Why Thin-client Mobile Apps Need to be Protected

Vulnerabilities of the mobile platform drive many companies to turn to thin-client mobile applications. But thinning your front-end alone cannot deter hackers. In this blog, we discuss the ways hackers can exploit thin mobile applications and present possible solutions.

A thin mobile application is a lightweight app. It executes very little code on the user’s device as the business logic is largely delegated to a backend server. Tasks such as validating requests or computing results are carried out at the server side instead of the client side. The functionality of the application itself could be limited to rendering an interface, capturing user input and displaying results. This kind of architecture is typically used for mobile banking applications.

Why are your thin mobile apps vulnerable?

 Thin-client applications are mostly adopted for security reasons: the smaller code base of these applications reduces the overall attack surface. But this undeniable advantage should not mislead you into thinking that thin-client applications are impervious to hacking.

• Your thin-client application can be used as an attack vector for the back end. For example, hooking frameworks (Frida, Xposed, etc.) enable a hacker to attach debuggers to inspect memory and investigate the behavior of the application and its server communication. In a subsequent phase, the hacker can use the same hooking framework to inject code that targets the backend with DOS attacks or triggers unintended server behavior.
• Unobfuscated thin-client applications can easily be tampered with, repackaged and distributed to target novice and unsuspecting users. Hackers could, for example, forge a frontend that contains malware or spyware. This kind of attack is very common.
• A thin application hardly contains any processing logic, but its interfaces remain vulnerable. User data (passwords, PINs, etc.) can easily be intercepted over the application interface or network by instigating side channels and MITM attacks. The possibility of overlay attacks, uncovered by the recent discovery of the Cloak and Dagger exploit, is further proof of the vulnerability of application interfaces.
• Thin applications are as vulnerable as any other mobile application to attacks that exploit security loopholes in Android or iOS, such as Android’s master key vulnerability.

These attacks not only imperil the users of your applications but can also incur financial and reputational damage.

How to overcome thin-client vulnerabilities?

 Despite their smaller code base, thin-client mobile applications are still very liable targets without adequate security reinforcement. As with any other mobile application, it is important to ensure that your application is optimally hardened against reverse engineering and hacking. In addition, it is essential to implement security measures such as SSL pinning to validate the communication between server and client and to perform runtime environment checks (root detection, tamper detection, hook detection) to verify the integrity of the environment in which the application is running. These measures ensure the mobile application is well equipped to face threats once it is deployed and allows it to safeguard itself and your backend from being exploited and compromised.